Hi,
We have 6 DC's. I constantly see that I am having account lockouts happening and it is so frustrating. I logon to these domain controllers which is a mix of 2008/2012 and 2003. I look for 4771 event IDs and 529 Event IDs. I do not see anything with my logon name. Once or twice I found and I traced the source ip address to be my desktop and I rebooted it and it stopped. The account lockout alert is triggered through QRadar. Unfortunately in QRadar it does not show me the caller computer name. This is the Alert I get from QRadar.
Payload: <13>Dec 15 18:03:00 DC02 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.7.20 Source=Microsoft-Windows-Security-Auditing Computer=DC02.domain.local OriginatingComputer=10.10.XX.XX User= Domain= EventID=4740 EventIDCode=4740 EventType=8 EventCategory=0 RecordNumber=1676210446 TimeGenerated=1576454578 TimeWritten=1576454578 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTMANAGEMENT_USERACCOUNT Opcode=Info Message=A user account was locked out. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: DC02$ Account Domain: DOMAINNAME Logon ID: 0x3E7 Account That Was Locked Out: Security ID: DOMAINNAME\admin-account Account Name: Admin-Accountname Additional Information: Caller Computer Name:
Last it is Empty. So, I am unable to trace where it starts. How do I fix this one?
I need to find the source of the problem.
But, now I still see that it is locking my account every day at either 3am in the morning or 6am or 4:03 pm and during weekends on Saturdays and Sundays. I am lost and I am not sure what else I can look for. I know I am not able to get the tools from my company other than the free lockout status tool. This is frustrating. How can I trace it to the root cause where this is occurring.Appreciate anyone who has some kind of way to find out why it is getting locked out.------------------------------
John Francis
------------------------------